3701.75
Authenticating health care records.

(1)
"Electronic record" means a record
communicated, received, or stored by electronic, magnetic, optical, or similar
means for storage in an information system or transmission from one information
system to another. "Electronic record" includes a record that is communicated,
received, or stored by electronic data interchange, electronic mail, facsimile,
telex, or similar methods of communication.

(2)
"Electronic signature" means any of the
following attached to or associated with an electronic record by an individual
to authenticate the record:

(a)
A code
consisting of a combination of letters, numbers, characters, or symbols that is
adopted or executed by an individual as that individual's electronic signature;

(c)
An electronic image of an individual's
handwritten signature created by using a pen computer.

(3)
"Health care record" means any document
or combination of documents pertaining to a patient's medical history,
diagnosis, prognosis, or medical condition that is generated and maintained in
the process of the patient's treatment.

(B)
All notes, orders, and observations
entered into a health care record, including any interpretive reports of
diagnostic tests or specific treatments, such as radiologic or
electrocardiographic reports, operative reports, reports of pathologic
examination of tissue, and similar reports, shall be authenticated by the
individual who made or authorized the entry. An entry into a health care record
may be authenticated by executing handwritten signatures or handwritten
initials directly on the entry. An entry that is an electronic record may be
authenticated by an electronic signature if all of the following apply:

(1)
The entity responsible for creating and
maintaining the health care record adopts a policy that permits the use of
electronic signatures on electronic records.

(2)
The entity's electronic signature system
utilizes either a two-level access control mechanism that assigns a unique
identifier to each user or a biometric access control device.

(3)
The entity takes steps to safeguard
against unauthorized access to the system and forgery of electronic signatures.

(4)
The system includes a process
to verify that the individual affixing the electronic signature has reviewed
the contents of the entry and determined that the entry contains what that
individual intended.

(5)
The
policy adopted by the entity pursuant to division (B)(1) of this section
prescribes all of the following:

(a)
A
procedure by which each user of the system must certify in writing that the
user will follow the confidentiality and security policies maintained by the
entity for the system;

(c)
Training for all users of the system that
includes an explanation of the appropriate use of the system and the
consequences for not complying with the entity's confidentiality and security
policies.